The rise of Ransomware-as-a-Service has given rise to a number of more successful groups who have their “business” down to a simple exercise of playing the numbers.
In any business, the Sales efforts can be expressed as a series of numbers in a Marketing and Sales funnel, showing, basically, “if you add so many people at the top of the funnel, you get so many sales at the bottom.” For example, if you have 100 prospects visiting your website, you might have 15 that register for your product or service. And of those 15, five will have a real need, budget, and timeframe to purchase. And of those 5, two of them will actually close.
With the massive numbers of organizations and users within, it’s expected that the more sophisticated groups have a general idea that for every X number of organizations targeted, Y number of them will succumb to a ransomware attack, yielding an average of Z dollars.
Don’t believe me?
In a recent post from Microsoft explaining the cybercrime economy, they devised their own funnel of sorts based on what they’ve observed with customers:
According to this funnel, 1 out of every 2500 organizations is a successful ransomware attack. And I would take this number to the bank, given the sheer number of attacks Microsoft’s security team has insight into.
If you’re a math person, you might think “eh, that’s four one-hundredths of a percent. We’re ok.” But note that just under 1% of all organizations attacked are successfully compromised. That means that even if you won’t ever need to be faced with the prospect of paying a ransom, you still will need to deal with the breach, notify shareholders, involve law enforcement, disrupt operations, etc.
So, every organization is participating in this number’s game – whether you like it or not. And the difference between those that are in the “20” or the “1”, and those that aren’t depends on your preventative security strategy that had better include Security Awareness Training to ensure that same funnel like thinking about the .001% of phishing emails that make their way to the Inbox don’t make the difference between your organization being one of the 2480 that aren’t affected, or the 21 that are.